Public Keys and Wallets: How Crypto Ownership Actually Works

A "wallet" in crypto isn't where your crypto is stored. Your crypto is stored on the blockchain, a public ledger anyone can read. The wallet is the tool that holds the cryptographic key that proves you control specific entries on that ledger. Understanding this distinction is the foundation of safe crypto ownership.

The key pair underneath

Every crypto address is generated from a key pair:

Private key. A large random number (typically 256 bits). Whoever knows this number can authorize transactions from the corresponding address. Must be kept secret.

Public key. Derived from the private key via one-way cryptography. Knowing the public key doesn't let you derive the private key. Used to verify signatures.

Address. A shorter, human-friendly representation of the public key (with some additional encoding). What you share when receiving funds.

The cryptographic asymmetry: the private key signs transactions; the public key verifies signatures; nobody can derive a private key from a public key without breaking modern cryptography.

When you "send" crypto, you're broadcasting a transaction signed with your private key. The network verifies the signature against your public key, sees that you own the funds at the address, and records the transfer to the recipient's address.

What a wallet actually does

A wallet:

Generates and stores private keys
Derives addresses from those keys
Constructs transactions when you want to send
Signs the transactions with the private key
Broadcasts signed transactions to the network
Reads the blockchain to show you balances

The wallet doesn't hold the crypto. The crypto exists as ledger entries on the blockchain. The wallet holds the keys that prove you control those entries.

If your wallet software is destroyed but you have the private keys (or the seed phrase that generates them), you can restore the wallet on another device and access the same funds. The funds were never in the wallet.

If you lose the keys without backup, the funds are permanently inaccessible. They still exist on the blockchain, but no one can prove ownership. They're "lost."

Seed phrases, the master backup

Modern wallets use a seed phrase (also called "mnemonic" or "recovery phrase"): a sequence of 12 or 24 words that encodes all the private keys the wallet generates.

The seed phrase is the master backup. From the seed phrase, the wallet can regenerate every private key it ever created. Restore the seed phrase on any compatible wallet, get access to all the funds.

The corollary: anyone who has your seed phrase has your funds. Seed phrase exposure = total compromise. Never store the seed phrase digitally. Never type it into anything other than a wallet recovery flow. Never share it with anyone (no legitimate support will ever ask for it).

The standard practice: write the seed phrase on paper or metal, store in physical secure location. For larger holdings, multiple copies in different secure locations.

Wallet types

Several categories with different trade-offs:

1. Hot wallets (software). Wallets that run on internet-connected devices, mobile apps (MetaMask, Trust Wallet, Phantom), desktop apps, browser extensions. Convenient. Vulnerable to malware, phishing, device compromise.

Use for: small amounts, active trading on DEXs, funds you'd lose without devastating impact.

2. Cold wallets (hardware). Dedicated devices that store private keys offline. Ledger, Trezor, GridPlus. Connect to a computer to sign transactions, but the private keys never leave the device.

Use for: meaningful amounts of long-term holdings. The standard for serious self-custody.

3. Paper wallets. Private keys printed on paper. No active wallet software involved. Fully offline. Must use special software to spend funds (importing the paper key).

Use for: very long-term cold storage. Less common now that hardware wallets exist.

4. Custodial accounts (exchanges, custodians). You don't control the keys; the custodian does. You have a claim on the assets, not direct ownership.

Use for: actively-trading capital where convenience matters more than direct ownership. Self-custody for everything else.

5. Multi-signature wallets. Require multiple keys to sign transactions. Can be set up so that, e.g., 2 of 3 keys are needed. Reduces single-key compromise risk. Good for large institutional holdings.

The rule of thumb: hot wallets for active small amounts; hardware wallets for meaningful holdings; custodial for actively-traded capital only.

What "your keys, your coins" actually means

The crypto saying "not your keys, not your coins" is mechanically true. If you don't control the private keys, you don't directly control the underlying assets, you have a claim on the custodian.

Custodial claims have failure modes:

Custodian goes bankrupt (FTX)
Custodian is hacked (Mt. Gox)
Custodian freezes your account (any centralized service in jurisdictional disputes)
Custodian implements rules you disagree with (delisting, withdrawals halts)

Direct key control eliminates these failure modes. You can't be rugged by a custodian who doesn't have your keys.

The trade-off: with great power comes great responsibility. You can lose direct-controlled funds in ways custodians' insurance might cover for them (lost seed phrase, hacked device, signed bad transaction).

For most people, the right balance is: small amount on exchange for active trading; the bulk in self-custody.

A common mistake: confusing wallets with accounts

A trader treats their MetaMask wallet like a bank account. They expect "support" if something goes wrong. They don't keep backups. They ask for help when they lose their seed phrase.

But a wallet isn't an account, it's local key storage. There's no support. There's no recovery process beyond the seed phrase. If you lose the keys without backup, the funds are gone.

The fix: from day one, treat self-custody seriously. Backup the seed phrase. Test recovery. Understand that you're the bank now.

A common mistake: trusting wallet software with private keys

A trader uses a random new wallet software they found via Twitter ad. The software has malicious code that exfiltrates private keys. Wallet drained.

The fix: only use wallet software with established reputation, audited code, and large user bases. MetaMask, Phantom, Rabby, hardware wallets from major brands. New wallet software with no track record is high-risk.

A common mistake: copying addresses incorrectly

A trader copies a wallet address. Malware on their device replaces the copied address with the attacker's address. They paste, send funds. Funds go to attacker.

The fix: verify the first and last characters of addresses you paste. For large transactions, verify more characters. Some wallets show address checksums to make this easier. The clipboard hijack is a common malware pattern.

A common mistake: signing without understanding

A dApp asks you to sign a transaction. The trader signs without reading. The transaction grants unlimited token approval to the dApp. Dapp drains tokens.

The fix: hardware wallets show transaction details on the device itself before signing. Read what you're signing. For unfamiliar dApps, be especially careful. Approval transactions should be limited in scope.

A common mistake: same wallet for everything

A trader uses one wallet for all activity: long-term holdings, active trading, DeFi experiments, NFT mints. Any compromise (signing a bad transaction in the experimental DeFi protocol) exposes everything.

The fix: separate wallets for different risk profiles. Cold wallet for long-term holdings (never connects to dApps). Hot wallet for active trading. Burner wallet for experimental dApps. Compromise of the burner doesn't touch the cold wallet.

A common mistake: forgetting which wallet has what

Self-custody multiplies operational complexity. A trader has multiple wallets across multiple chains. They lose track of which wallet has which assets. They miss airdrops, can't find specific tokens, make sub-optimal decisions due to incomplete information.

The fix: portfolio tracking software (Zapper, DeBank, similar) aggregates positions across wallets and chains. Set up tracking from day one.

Mental model, wallets as the keys to your safety deposit boxes

Imagine your crypto holdings as safety deposit boxes in various banks (the blockchains). Each box has a unique key (the private key). The wallet is your keychain, it holds the keys.

Lose the keychain (your wallet) but have a backup of the keys (seed phrase): make a new keychain, back to operating.

Lose the keys without backup: the boxes are inaccessible forever. The contents still exist; no one can open them.

Give someone else the keys (custodial): they decide when you can open the boxes. They can change the locks, refuse access, or empty them.

Self-custody is keeping the keys yourself. Custodial is letting someone else hold the keys. Both are valid for different purposes; understand which you're doing for each holding.

Why this matters for trading

Wallet security is the foundation of self-custody. Active trading typically uses some custodial exposure (exchanges); the long-term holdings should generally be self-custodied. Hex37's paper trading environment lets you practice the trading mechanics without the wallet complexity; once you go live and self-custody becomes relevant, the basics covered here are the foundation.

Takeaway

A wallet doesn't hold your crypto, it holds the private keys that prove ownership of crypto on the blockchain. Wallet types: hot (software, convenient), cold (hardware, secure), custodial (exchange-held, no direct control). Use hardware wallets for meaningful holdings. Seed phrases on physical storage only, never digital. Separate wallets for different risk profiles. Verify addresses before sending. Read transactions before signing. The fundamental responsibility shift in self-custody: you're the bank now.